Explicit state parameter in jersey's OAuth2CodeGrantFlow

Question

I've been toying around with jersey's OAuth2.0 Client Support Library. And it works like a charm too. However I can't seem to find a way to specify the state parameter which gets sent in the authorization request. Jersey generates a random UUID for me and lets me retrieve it when I get the authorization provider's response. Before that the only option I have come up with is to manually parse the URI string which start() returns. But this shouldn't be right, right? Either I am missing something in jersey or I am missing the point of the state parameter... So do you know of any (more elegant than mine) way to extract the state parameter just after I start() the flow? Or a way to put my own state variable in the flowBuilder?

I'm using jersey 2.5.1 by the way.

Edit to include a code sample:

final ClientIdentifier clientIdentifier = new ClientIdentifier(CLIENT_ID, CLIENT_SECRET);
final OAuth2CodeGrantFlow codeGrantFlow = OAuth2ClientSupport
            .googleFlowBuilder(clientIdentifier, redirectURI, scope)
            .prompt(OAuth2FlowGoogleBuilder.Prompt.CONSENT).build();        
final String googleAuthURI = codeGrantFlow.start();

How do I get/set the state somewhere in there?

Edit2: Here is the feature request on Jersey's JIRA https://java.net/jira/browse/JERSEY-2342 In the meantime what Michal Gajdos suggested works fine for me.

Answer 1

You can use OAuth2CodeGrantFlow.Builder#property(...) method to set the state parameter:

final OAuth2CodeGrantFlow codeGrantFlow = OAuth2ClientSupport
        .googleFlowBuilder(clientIdentifier, redirectURI, scope)
        .prompt(OAuth2FlowGoogleBuilder.Prompt.CONSENT)
        .property(OAuth2CodeGrantFlow.Phase.AUTHORIZATION, OAuth2Parameters.STATE, state)
        .build();

I agree, it's not very convenient. If you have a legitimate use-case to modify builder/flow, feel free to file an improvement to our JIRA.